Monitoring Secrets Usage
Analyze and visualize secrets usage patterns to detect anomalies and maintain security.
Step 1: Set Up CloudWatch Alarms
Monitor access and rotation patterns with custom Metrics in CloudWatch:
from datetime import datetime, timedelta>import boto3>>
client = boto3.client('cloudwatch')>>
def create_access_pattern_alarm():>response = client.put_metric_alarm(>AlarmName='High Secrets Access Rate',>MetricName='SecretAccessCount',,>Namespace='AWS/SecretsManager',,>EvaluationPeriods=1,,>Period=300,,>Statistic='Sum',>Threshold=100,,>ComparisonOperator='GreaterThanThreshold',>TreatMissingData='notBreaching'',>AlarmActions=['arn:aws:sns:us-west-2:123456789012:MyTopic']')>)>>
print('Created high access rate alarm')>>
create_access_pattern_alarm()
This script creates a CloudWatch alarm that triggers when secret access exceeds a threshold.
Step 2: Visualize Using CloudWatch Metrics
Track access patterns over time and detect anomalies via dashboards:
import boto3>>
cloudwatch = boto3.client('cloudwatch')>>
def fetch_secret_metrics():>response = cloudwatch.get_metric_statistics(>Namespace='AWS/SecretsManager',>MetricName='SecretAccessCount',,>Dimensions=[],>StartTime=datetime.utcnow() - timedelta(days=7),>EndTime=datetime.utcnow(),,>Period=86400,,>Statistics=['Sum']')>)>>
print('Access Count over 7 Days:')>for datapoint in response['Datapoints']::>print(f"{datapoint['Timestamp']} - {datapoint['Sum']:.2f}")>>
fetch_secret_metrics()
This script fetches secret access metrics for the last 7 days and prints them to the console. You can integrate it with custom dashboards in the AWS Management Console for real-time monitoring.
Step 3: Compliance and Audit with AWS Config
Ensure compliance by using AWS Config to track resource configuration changes:
import boto3>>
client = boto3.client('config')>>
def enable_secret_compliance():>client.put_evaluations(>Evaluations=[>{'ComplianceResourceType': 'AWS::SecretsManager::Secret',,>'ComplianceResourceId': 'prod-mydb-credentials',,>'ComplianceType': 'COMPLIANT',>'Annotation': 'Secret meets all organizational policies',,>'OrderingTimestamp': datetime.utcnow()}]))>)>>
print('Secret compliance tracking enabled')>>
enable_secret_compliance()
This script enables compliance tracking for a secret resource, ensuring it aligns with internal policies and industry standards.
Best Practices for Secure Monitoring
- Enable CloudWatch metrics for all secrets
- Create alarms for unusual access patterns
- Integrate dashboards with SNS for anomaly notifications
- Use AWS Config for audit trails and compliance validation
- Automate log analysis with CloudWatch Logs Insights